Problem with Formbean validate method forwarding to input page
I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107
Re: Problem with Formbean validate method forwarding to input page
If you are using struts, why go back to a .jsp page? You should be going back to a .do page. Since the .do is a struts action it will be able to get to your jsp page. Todd Bryant [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Formbean validate method forwarding to input page
Make your input action an error page, which just has the error and no sensitive data and make a success forward that you only send the user to if everything checks out. Todd Bryant wrote: I have need for every page in my web app to be secure. What I originally did was extend the Action class to make a secure action class. The SecureAction's perform method validates that the user is logged in and if not, sends them to the login page. All actions in my app extend SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF, WEB-INF/jsp. This way a user cannot directly access any jsp. They can only be accessed through a forward in an action. This completely secures all resources in my application. This is where I run into a problem. If I use the validate() method of the formbean and it returns a non-empty ActionErrors object, then the request is diverted to resource that is set as the input, in this case a jsp. Because of this, if a user were to put in some bogus field values in the url, she would be able to cause the formbean to no validate and get the jsp to display, bypassing the secure action. I can secure each jsp, but this is redundant if I have them in the WEB-INF folder in the first place. I would rather avoid this fix. I know that overriding the default action class is a common way to secure your app as I have read about it more than one place, however, I have never seen this problem addressed. Has anyone else ran across this problem before and come up with a solution? Thanks in advance. Todd Bryant Programmer/Analyst University of Nebraska Foundation 402-472-0107 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with Formbean validate method forwarding to input page
Maybe you should be handling your security in the request processor.
Have a method like this:
protected ActionForward processActionPerform(
HttpServletRequest request,
HttpServletResponse response,
Action action,
ActionForm form,
ActionMapping mapping)
throws IOException, ServletException {
try {
validSession(request);
return (action.execute(mapping, form, request, response));
} catch (SecurityException e) {
return (processException(request, response,e, form, mapping));
}
}
Where validateSession throws a SecurityException if the user is not
logged in and processException knows where to send the user to log in.
There are different ways to do it, but the basic principle is to
authenticate the user's session before the Action executes, so you don't
have to worry about that in the Action.
Todd Bryant wrote:
That is a good suggestion, and I had thought of that, but the problem is
that a user would have to go from the error page back to the page they were
on. This would make it prohibitively difficult to interact with this
particular app (too many clicks).
-Original Message-
From: Paul Barry [mailto:[EMAIL PROTECTED]
Sent: Wednesday, April 07, 2004 4:07 PM
To: Struts Users Mailing List
Subject: Re: Problem with Formbean validate method forwarding to input page
Make your input action an error page, which just has the error and no
sensitive data and make a success forward that you only send the user to
if everything checks out.
Todd Bryant wrote:
I have need for every page in my web app to be secure. What I originally
did
was extend the Action class to make a secure action class. The
SecureAction's perform method validates that the user is logged in and if
not, sends them to the login page. All actions in my app extend
SecureAction. To protect my jsp's, I put them in a subfolder of WEB-INF,
WEB-INF/jsp. This way a user cannot directly access any jsp. They can only
be accessed through a forward in an action. This completely secures all
resources in my application.
This is where I run into a problem. If I use the validate() method of the
formbean and it returns a non-empty ActionErrors object, then the request
is
diverted to resource that is set as the input, in this case a jsp.
Because
of this, if a user were to put in some bogus field values in the url, she
would be able to cause the formbean to no validate and get the jsp to
display, bypassing the secure action. I can secure each jsp, but this is
redundant if I have them in the WEB-INF folder in the first place. I would
rather avoid this fix.
I know that overriding the default action class is a common way to secure
your app as I have read about it more than one place, however, I have
never
seen this problem addressed. Has anyone else ran across this problem
before
and come up with a solution? Thanks in advance.
Todd Bryant
Programmer/Analyst
University of Nebraska Foundation
402-472-0107
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
